Industrial Automation / Industrial Cybersecurity

Integrate your IT-OT security efforts to protect against cybersecurity threats

In this installment of Automation Zone, don’t let culture gaps leave your operations vulnerable to cybersecurity threats.

By Dawn Cappelli, VP of global security and chief information security officer, Rockwell Automation

Too many manufacturers are leaving their operations exposed to cybersecurity threats because their information technology (IT) and operational technology (OT) teams are not working together to address security in a unified way. A lack of cohesion and collaboration between these groups can create unnecessary hurdles to getting the work done and can lead to discrete approaches and critical gaps. This ultimately leaves the entire organization vulnerable to cyberattack.

When teams are operating in harmony, they can be more strategic in addressing security gaps. This alignment allows leaders to take a step back, look at the organization’s big picture, figure out where the gaps are, and then prioritize based on risk while leveraging the best resources on both sides of the IT/OT ecosystem.

Thankfully, none of us is alone in this endeavor. We can leverage partnerships and tools like the National Institute of Standards and Technology (www.nist.gov) cybersecurity framework (NIST CSF) – a framework consisting of five security functions, 23 categories, and 108 subcategories that include cyber, physical, and personnel topics, all with a focus on business outcomes. We use the NIST CSF at Rockwell Automation, and we continuously see benefits, both in our security and in the way our teams operate in general.

Building a strategy and prioritizing risks together


One of the biggest issues facing IT and OT teams today is determining who does what when it comes to security. For example, we see this in Security Operations Centers (SOCs), which monitor security feeds across a network and detect and respond to suspicious or anomalous activity. SOCs have traditionally existed in the IT world, but now their capabilities are needed also in OT environments. This has led to some tensions and confusion regarding who should take the lead.

The truth is, both sides need to work together. IT teams know how IT technology and security tools work, while OT teams have the technical OT expertise needed to provide context for analyzing and interpreting the manufacturing data. For example, anomalous activity on the plant floor could indicate a security breach or a misconfiguration of a controller or other piece of OT equipment. Effective incident response requires representation from both IT and OT. 

The key to crossing the cultural chasm between IT and OT is for both teams to work together to develop a strategic road map for IT/OT security using the NIST CSF. In fact, Rockwell Automation followed this strategy almost three years ago by holding a multiday workshop in which IT, security, plant managers, and other key plant employees worked their way through the NIST CSF together. The workshop provided a learning opportunity for everyone and led to a common understanding of the current state of our security posture, the desired state, the risks posed by the gaps, and a prioritized road map for closing them.

Too many organizations today are jumping at new OT security technologies without taking a step back and comprehensively analyzing their security risks. When we came together, one of the most valuable things we were able to do was prioritize our cybersecurity risks, including those centered on people, processes, and technology. Before, we lacked the organizational context to understand which risks truly bubbled to the top. Through our discussions, we could see the whole picture, and we were able to quantify and prioritize risks based on likelihood of occurrence and impact.

In addition to developing an integrated security strategy, the workshop discussions helped us identify issues that could be addressed fairly quickly and easily. For example, we discovered that we needed to communicate about security to employees in our plants differently than in the rest of the company, which would help us bolster our security culture in a big way.

Most plant employees are not on computers every day, so communicating about security online doesn’t work, and many of the issues are not relevant to them. From this insight, we developed security newsletters that we distribute to plants each month, to be posted in common areas. The newsletters are specifically targeted at the interests and risks posed by those employees, including security at home and at work.

It was extremely valuable for us to bring together the IT and OT teams to build our initial integrated security strategy. Starting out with a strategy that has been built as a team ultimately helps everyone feel like they are all working toward the same goal. Three years later, the teams are still working together toward those common goals.

Staying vigilant


Of course, every security strategy needs be continually reviewed, which is why the NIST cybersecurity framework continues to evolve as the threat landscape changes. Our plan is continuously reviewed, managed, and tweaked by the team based on changes in both the risk landscape and our perceived tolerances to these risks. Having this collaborative culture at the foundation of our standards-driven strategy has been critical to our progress in the area of cybersecurity.

Two years ago, we realized we once again needed to expand our approach. In addition to addressing cyber risk within IT/OT environments, we also had to consider how our road maps for product security and security services fit within our overall security strategy.

While it is still important to have those individualized road maps, we recognized the need to have a holistic cybersecurity strategy that encompasses our entire connected enterprise ecosystem: our infrastructure (IT and OT), our products and services, and our customers, as well as the connections among all of them. We now have used the same kinds of techniques described above to cross additional cultural chasms by creating a strategic security road map that includes that entire ecosystem. 

You may have gaps that are exposing your organization to cybersecurity threats, but you can start closing them today by working to align your culture around a common goal of protecting your organization’s assets and your organization’s ecosystem.